fullstackgtm 0.27.0 → 0.28.0

package/dist/credentials.js

@@ -1,8 +1,10 @@
 import { chmodSync, existsSync, mkdirSync, readdirSync, readFileSync, statSync, unlinkSync, writeFileSync, } from "node:fs";
+import { createHash } from "node:crypto";
 import { homedir } from "node:os";
 import { join } from "node:path";
 import { refreshHubspotToken } from "./connectors/hubspotAuth.js";
 import { refreshSalesforceToken } from "./connectors/salesforceAuth.js";
+import { detectKeychainBackend } from "./keychain.js";
 /**
  * Local CLI credential store: ~/.fullstackgtm/credentials.json (0600), or
  * $FSGTM_HOME/credentials.json when set. Environment tokens always win over
@@ -118,38 +120,103 @@ function enforceCredentialFileMode(path) {
         // Missing file or non-POSIX filesystem: nothing to enforce.
     }
 }
+/**
+ * Persistence backend for the credential blob: the OS keychain when
+ * FSGTM_KEYCHAIN=1 and one is available, otherwise the 0600 file. The keychain
+ * account is derived from the credential file path so distinct homes/profiles
+ * never collide in the machine-wide store.
+ */
+function activeKeychain() {
+    if (process.env.FSGTM_KEYCHAIN !== "1")
+        return null;
+    const backend = detectKeychainBackend();
+    if (!backend)
+        return null;
+    return { account: createHash("sha256").update(credentialsPath()).digest("hex").slice(0, 24), backend };
+}
+/**
+ * When keychain is enabled on an install that previously wrote a plaintext
+ * credentials.json, that file would otherwise sit on disk forever (readFile only
+ * looks at the keychain). Import it into the keychain and remove it — the whole
+ * point of keychain mode is that no plaintext credential remains at rest.
+ */
+function migratePlaintextToKeychain(keychain) {
+    if (!existsSync(credentialsPath()))
+        return;
+    try {
+        const fileParsed = JSON.parse(readFileSync(credentialsPath(), "utf8"));
+        if (fileParsed && fileParsed.version === 1 && fileParsed.providers) {
+            const current = keychain.backend.get(keychain.account);
+            const existing = current ? (JSON.parse(current).providers ?? {}) : {};
+            // Keychain entries win over the file on conflict (the file is the older copy).
+            const merged = { version: 1, providers: { ...fileParsed.providers, ...existing } };
+            keychain.backend.set(keychain.account, `${JSON.stringify(merged, null, 2)}\n`);
+        }
+        unlinkSync(credentialsPath());
+        console.error("fullstackgtm: migrated credentials.json into the OS keychain and removed the plaintext file.");
+    }
+    catch {
+        // Best effort: a malformed/locked file is left in place rather than lost.
+    }
+}
 function readFile() {
+    const keychain = activeKeychain();
+    if (keychain)
+        migratePlaintextToKeychain(keychain);
     try {
-        enforceCredentialFileMode(credentialsPath());
-        const parsed = JSON.parse(readFileSync(credentialsPath(), "utf8"));
-        if (parsed && typeof parsed === "object" && parsed.version === 1 && parsed.providers) {
-            return parsed;
+        const raw = keychain ? keychain.backend.get(keychain.account) : (enforceCredentialFileMode(credentialsPath()), readFileSync(credentialsPath(), "utf8"));
+        if (raw) {
+            const parsed = JSON.parse(raw);
+            if (parsed && typeof parsed === "object" && parsed.version === 1 && parsed.providers) {
+                return parsed;
+            }
         }
     }
     catch {
-        // Missing or unreadable file falls through to an empty store.
+        // Missing or unreadable store falls through to an empty one.
     }
     return { version: 1, providers: {} };
 }
+function persist(file) {
+    const keychain = activeKeychain();
+    const blob = `${JSON.stringify(file, null, 2)}\n`;
+    if (keychain) {
+        keychain.backend.set(keychain.account, blob);
+    }
+    else {
+        ensureSecureHomeDir();
+        writeSecureFile(credentialsPath(), blob);
+    }
+}
 export function getCredential(provider) {
     return readFile().providers[provider] ?? null;
 }
 export function storeCredential(provider, credential) {
     const file = readFile();
     file.providers[provider] = credential;
-    ensureSecureHomeDir();
-    writeSecureFile(credentialsPath(), `${JSON.stringify(file, null, 2)}\n`);
+    persist(file);
 }
 export function deleteCredential(provider) {
     const file = readFile();
     if (!file.providers[provider])
         return false;
     delete file.providers[provider];
-    if (Object.keys(file.providers).length === 0 && existsSync(credentialsPath())) {
-        unlinkSync(credentialsPath());
-        return true;
+    const keychain = activeKeychain();
+    if (Object.keys(file.providers).length === 0) {
+        if (keychain) {
+            keychain.backend.delete(keychain.account);
+            // Defensive: remove any leftover plaintext file too (migration normally
+            // already did, but never leave a credential blob on disk after logout).
+            if (existsSync(credentialsPath()))
+                unlinkSync(credentialsPath());
+            return true;
+        }
+        if (existsSync(credentialsPath())) {
+            unlinkSync(credentialsPath());
+            return true;
+        }
     }
-    writeSecureFile(credentialsPath(), `${JSON.stringify(file, null, 2)}\n`);
+    persist(file);
     return true;
 }
 const REFRESH_SKEW_MS = 2 * 60 * 1000;
@@ -222,6 +289,13 @@ async function brokerMint(provider, options) {
     const broker = getCredential("broker");
     if (!broker?.baseUrl)
         return null;
+    // The mint replays the long-lived bearer and receives a live CRM token —
+    // refuse to do so over cleartext even if a tampered store points us at http.
+    const brokerUrl = new URL(broker.baseUrl);
+    const localhost = brokerUrl.hostname === "localhost" || brokerUrl.hostname === "127.0.0.1" || brokerUrl.hostname === "::1" || brokerUrl.hostname === "[::1]";
+    if (brokerUrl.protocol !== "https:" && !(brokerUrl.protocol === "http:" && localhost)) {
+        throw new Error(`Refusing to mint a CRM token over ${brokerUrl.protocol}//${brokerUrl.host} — the broker must use https. Re-pair with an https deployment.`);
+    }
     const fetchImpl = options.fetchImpl ?? fetch;
     const response = await fetchImpl(`${broker.baseUrl.replace(/\/$/, "")}/api/cli/token`, {
         method: "POST",

package/dist/keychain.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Optional OS-keychain backing for the credential store. Off by default;
+ * enabled with FSGTM_KEYCHAIN=1. When on, the credential blob is stored in the
+ * OS secret store instead of a 0600 file, so a cloned home, a restored backup,
+ * or another tool reading `~/.fullstackgtm/credentials.json` finds nothing.
+ *
+ * Backends shell out to the OS tool — no native dependency, so the package
+ * stays zero-dep:
+ *  - Linux: `secret-tool` (libsecret) — reads the secret from STDIN (no argv leak).
+ *  - macOS: `security` — `add-generic-password` only accepts the secret via the
+ *    `-w` argv flag, so it is briefly visible to same-user `ps` during the call.
+ *    That transient, same-user exposure is strictly smaller than a persistent
+ *    plaintext file (which the same processes can read at any time), but it is a
+ *    real caveat, documented in SECURITY.md.
+ *
+ * Keychain entries are NOT scoped by $FSGTM_HOME (the OS store is machine-wide),
+ * so the account name is derived from the credential file path to keep distinct
+ * homes/profiles from colliding. This is also why keychain is opt-in: defaulting
+ * it on would make throwaway-home test/eval runs write to the machine keychain.
+ */
+export type KeychainBackend = {
+    readonly name: string;
+    get(account: string): string | null;
+    set(account: string, secret: string): void;
+    delete(account: string): void;
+};
+/** Test seam: force a backend (or null to force "none"). undefined = re-detect. */
+export declare function setKeychainBackendForTests(backend: KeychainBackend | null | undefined): void;
+/** The active backend for this platform, or null if none is available. */
+export declare function detectKeychainBackend(): KeychainBackend | null;

package/dist/keychain.js

@@ -0,0 +1,85 @@
+import { execFileSync } from "node:child_process";
+import { platform } from "node:os";
+const SERVICE = "fullstackgtm";
+function hasBinary(bin) {
+    try {
+        execFileSync("/usr/bin/env", ["which", bin], { stdio: "ignore" });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+const macosBackend = {
+    name: "macos-keychain",
+    get(account) {
+        try {
+            return execFileSync("security", ["find-generic-password", "-s", SERVICE, "-a", account, "-w"], {
+                encoding: "utf8",
+                stdio: ["ignore", "pipe", "ignore"],
+            }).replace(/\n$/, "");
+        }
+        catch {
+            return null; // not found → non-zero exit
+        }
+    },
+    set(account, secret) {
+        // -U updates if present. NOTE: the secret is in argv for the duration of
+        // this call (see the module comment); `security` has no stdin path.
+        execFileSync("security", ["add-generic-password", "-U", "-s", SERVICE, "-a", account, "-w", secret], {
+            stdio: "ignore",
+        });
+    },
+    delete(account) {
+        try {
+            execFileSync("security", ["delete-generic-password", "-s", SERVICE, "-a", account], { stdio: "ignore" });
+        }
+        catch {
+            // already absent
+        }
+    },
+};
+const secretToolBackend = {
+    name: "linux-secret-tool",
+    get(account) {
+        try {
+            return execFileSync("secret-tool", ["lookup", "service", SERVICE, "account", account], {
+                encoding: "utf8",
+                stdio: ["ignore", "pipe", "ignore"],
+            });
+        }
+        catch {
+            return null;
+        }
+    },
+    set(account, secret) {
+        // secret-tool reads the secret from STDIN — no argv exposure.
+        execFileSync("secret-tool", ["store", "--label", `${SERVICE} ${account}`, "service", SERVICE, "account", account], {
+            input: secret,
+            stdio: ["pipe", "ignore", "ignore"],
+        });
+    },
+    delete(account) {
+        try {
+            execFileSync("secret-tool", ["clear", "service", SERVICE, "account", account], { stdio: "ignore" });
+        }
+        catch {
+            // already absent
+        }
+    },
+};
+let override;
+/** Test seam: force a backend (or null to force "none"). undefined = re-detect. */
+export function setKeychainBackendForTests(backend) {
+    override = backend;
+}
+/** The active backend for this platform, or null if none is available. */
+export function detectKeychainBackend() {
+    if (override !== undefined)
+        return override;
+    if (platform() === "darwin" && hasBinary("security"))
+        return macosBackend;
+    if (platform() === "linux" && hasBinary("secret-tool"))
+        return secretToolBackend;
+    return null;
+}

package/dist/mcp.js

@@ -23,8 +23,15 @@ async function importPeer(specifier) {
     }
     catch (error) {
         try {
+            // Last-resort fallback to the invoking project's node_modules (the npx
+            // landmine: peers there, fullstackgtm in the npx cache). This loads code
+            // from the current working directory, so make it VISIBLE — running the
+            // MCP server in an untrusted directory could otherwise silently load a
+            // malicious `zod`/SDK from its node_modules.
             const projectRequire = createRequire(join(process.cwd(), "package.json"));
-            return (await import(__rewriteRelativeImportExtension(pathToFileURL(projectRequire.resolve(specifier)).href)));
+            const resolved = projectRequire.resolve(specifier);
+            console.error(`fullstackgtm-mcp: loading peer "${specifier}" from the current directory (${resolved}). Only run the MCP server in a directory you trust.`);
+            return (await import(__rewriteRelativeImportExtension(pathToFileURL(resolved).href)));
         }
         catch {
             throw error; // the original error carries the missing-peer signal mcp-bin reports on

package/dist/types.d.ts

@@ -281,6 +281,12 @@ export type PatchPlan = {
     filter?: {
         objectType: "account" | "contact" | "deal";
         where: string[];
+        /**
+         * The date the filter's comparison `today` literal resolves to (ISO
+         * yyyy-mm-dd). Stored so apply-time re-verification resolves `today`
+         * identically to plan time; absent on plans built before comparison ops.
+         */
+        today?: string;
     };
     /**
      * Plan-level guards re-evaluated against a FRESH snapshot at apply time.

package/docs/api.md

@@ -91,8 +91,11 @@ emits a standard dry-run `PatchPlan` for the normal approve → apply chain:
 
 - `buildBulkUpdatePlan(snapshot, options: BulkUpdateOptions)` with
   `parseWhere` (filter expressions: `=`, `!=`, `~`, `!~`, `:empty`,
-  `:notempty`, `|` any-of, relational pseudo-fields) and
-  `isFilterableField`. Filters are re-verified per record at apply time;
+  `:notempty`, type-aware comparisons `<`, `>`, `<=`, `>=` — `today` resolves
+  to `options.today`/the policy date, date and numeric fields coerce by value
+  form, `|` any-of, relational pseudo-fields) and `isFilterableField`. Filters
+  are re-verified per record at apply time (the resolved `today` rides along on
+  `plan.filter.today` so re-verification agrees with plan time);
   `from:<sourceField>` values derive per record from the snapshot.
 - `buildDedupePlan(snapshot, options: DedupeOptions)` with `dedupeKey` —
   duplicate groups by normalized identity key, one `merge_records` per group,

package/llms.txt

@@ -61,7 +61,13 @@ Storage is profile-scoped under `<home>/market/<category>`. MCP:
 snapshot into a dry-run plan; the FULL filter is re-verified per record at
 apply time (plus mid-apply rechecks); equality filters double as
 preconditions, `--require`/`--guard` add explicit ones, `--max-operations`
-caps blast radius. `--set f=from:<source>` derives per-record values (empty
+caps blast radius. Filter operators: `=` `!=` `~` `!~` `:empty` `:notempty`,
+plus type-aware comparisons `<` `>` `<=` `>=` (`today` resolves to the policy
+date, e.g. `closeDate<today`; date fields compare as dates, numeric as
+numbers, unset/non-parseable values do not match). For date/count hygiene
+(past close dates, stale deals, missing accounts, duplicates) prefer the
+rule-backed `fix --rule <id>` — it encodes the date/open-deal logic
+deterministically; reach for bulk-update only when no rule covers the task. `--set f=from:<source>` derives per-record values (empty
 source = skip + count, never guess). `--archive` refuses records sharing an
 identity key — merge with `dedupe` instead. `dedupe <object> --key
 <domain|email|name>` = one merge_records op per duplicate group,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fullstackgtm",
-  "version": "0.27.0",
+  "version": "0.28.0",
   "description": "Open-source agentic GTM ops framework: canonical GTM data model, pluggable deterministic audits, reviewable dry-run patch plans, approval-gated write-back with conflict detection, and cross-system entity resolution. HubSpot, Salesforce, and Stripe connectors included.",
   "license": "Apache-2.0",
   "author": "Full Stack GTM <security@fullstackgtm.com> (https://fullstackgtm.com)",
@@ -37,7 +37,7 @@
     "DATA-FLOWS.md"
   ],
   "scripts": {
-    "build": "tsc -p tsconfig.build.json",
+    "build": "rm -rf dist && tsc -p tsconfig.build.json",
     "test": "node --experimental-strip-types --test tests/*.test.ts",
     "prepublishOnly": "npm run build"
   },